What would be a good way to design access to document for a certain duration only?

e.g. give access on a file or folder to a user or role, then have the system automatically remove the given access privilege in, say, 7 days...

I am thinking about designing an interface that gives the privilege then at same time adds a cron job which reverses the privilege after a set number of days. But, with so many files/folders, there would be tons of cron jobs which could adversely impact performance. Also, in case the user changes the privileges again, it would be very messy to change the existing cron jobs related to the same file or folder.

suppose we have 100,000 folders where each contains the medical files of one patient. These folders will not be accessible to anyone, except admin.

When a patient comes to the hospital, a few doctors and a few nurses will need access to his files for a few days. So, the administrator will give access to say 5 people to access them by adding their user (or can be done by role), and then access should be revoked later on.

To manually revoke access each time would be too much work. A better solution is to give access to a folder for a specific amount of days, at the end of which access should be revoked automatically.

About 2% to 3% of all folders should be available for viewing (accessible to dr. and nurses) at any day i.e. 2000 to 3000 folders.

In your scenario I will create an extra table with columns ( folder_uuid, date_to_revoke, granted_user, granted_role ) -> take it as an initial aproach.

With crontab task, can schedule daily the permissions you must remove, based on the table log you have created.

Create a minimal application ( jsp or application.war connected to openkm with sdk4j, or .net application, see our sdk's from docs.openkm.com ) logged as administrator. From there modify grants and also add the changes in the extra table. This application should:
-- search for a specific folder ( patient ), when found:
-- apply security changes and log into the extra table

Hope it could be used by you as an starting point. Really is not much complex feature. I also suggest make daily reports of added and removed grants and always take control on possible error during the process. The most important thing is controlling errors.